Payment cards such as credit or debit cards are ubiquitous. For decades, such cards have included a magnetic stripe on which the relevant account number is stored. To consummate a purchase transaction with such a card, the card is swiped through a magnetic stripe reader that is part of a point of sale (POS) terminal. The reader reads the account number from the magnetic stripe. The account number is then used to route a transaction authorization request that is initiated by the POS terminal. The authorization request is routed from the merchant's acquiring financial institution (“acquirer”) to a server computer operated by or on behalf of the issuer of the payment account. The issuer's server computer provides a response to the authorization request. If the response indicates that the issuer has authorized the transaction, the transaction is consummated at the point of sale. Later the transaction is cleared for settlement via the acquirer and the issuer.
More recently, cards that incorporate an integrated circuit (IC) have been utilized as payment cards. In various embodiments, IC payment cards may be interfaced to a POS terminal via contacts on the card. During a purchase transaction, the payment card account number and other information may be uploaded from the IC payment card to the POS terminal via the IC card contacts and a contact card reader that is included in the POS terminal. Authorization and clearing may then proceed in substantially the same manner as for a transaction initiated with a mag stripe payment card (putting aside additional security measures that may be implemented by using the processing capabilities of the IC payment card).
In other IC payment card systems, the exchange of information between the card and the POS terminal proceeds via wireless RF (radio frequency) communications. These wireless communication payment cards are sometimes referred to as “contactless” payment cards. One example of a contactless payment card standard is referred to in the United States by the brand name “PayPass” and was established by MasterCard International Incorporated, the assignee hereof. It has also been proposed to use wireless exchanges of information via NFC (Near Field Communication) for payment applications.
Conventional payment system purchase transactions that require real-time on-line communication with the account issuer—for the purpose of authorization or (in a “one message” system) for immediate charge against the customer's account—are sometimes referred to as “on-line” transactions. However, some payment card account issuers are willing to allow certain classes of transactions (e.g., transactions for small monetary amounts) to be consummated for later clearing without obtaining authorization from the issuer's computer while the transaction is pending between the merchant and the customer. In these transactions, the merchant's device (POS system) is not required to engage in communications with the issuer's computer while the transaction is taking place, and the transactions are accordingly sometimes referred to as “offline” transactions. For these transactions, issuers typically consider the risk of a relatively small loss to fraud as being outweighed by the need to speed up the transaction for the convenience of the customer and the merchant.
It has been proposed that the capabilities of a contactless payment card be incorporated into a mobile telephone, thereby turning the mobile telephone into a contactless payment device. Typically a mobile telephone/contactless payment device includes integrated circuitry with the same functionality as the RFID (radio frequency identification) IC of a contactless payment card. In addition, the mobile telephone/contactless payment device includes a loop antenna that is coupled to the payment-related IC for use in sending and/or receiving messages, via short-distance wireless communications, in connection with a transaction that involves contactless payment.
Contactless payment devices in other form factors, such as key fobs, wristwatches, wristbands and stickers, have also been proposed. It has also been proposed that mobile devices other than mobile telephones—such as PDAs with mobile communication capabilities—may also incorporate contactless payment functionality.
In general, issuers of payment card accounts are concerned with the subject of “risk management”. Risk management refers to the balancing of the risk of loss due to fraud or over-spending with the costs and inconvenience that may be required for measures that may be undertaken to deter or prevent fraudulent transactions or over-spending. The above-noted practices relating to requiring real-time authorization for some transactions while not requiring such authorization for other transactions are examples of applications of the principles of risk management. The present inventors have now devised additional novel risk management techniques (described below) that are especially suitable for application with payment-enabled mobile devices.